Singularity 2.5.0 Release

Apr 27, 2018 /

This release includes fixes for several high and medium severity security issues. It also contains a whole slew of bug fixes including the much awaited docker aufs whiteout file fix. It’s a new release instead of a point release because it adds a new dependency to handle this bug, includes some new (albeit minor) feature enhancements, and changes the behavior of a few environment variables (see below).

Singularity 2.5 should be installed immediately and all previous versions of Singularity should be removed. Many of the vulnerabilities fixed in this release are expected to affect all Linux distributions regardless of whether they implement overlayfs. There are no mitigations or workarounds for these issues outside of updating Singularity.

Additionally, Singularity 2.5 drops support for hosts that do not support the prctl() function PR_SET_NO_NEW_PRIVS. The PR_SET_NO_NEW_PRIVS feature was added to prctl() in the Linux 3.5 kernel. Various distributions have since backported this feature to currently maintained kernels (for example, Red Hat added this feature to RHEL 6.7 with the 2.6.32-504.16.2 kernel). Kernels that do not have this feature are inherently insecure in many ways. They do not implement container runtimes securely. Blocks have therefore been put in place to prevent Singularity 2.5 from building or running on vulnerable kernels.

Security related fixes

Patches are provided to prevent a malicious user with the ability to log in to
the host system and use the Singularity container runtime from carrying out any
of the following actions:

Create world writable files in root-owned directories on the host system by
manipulating symbolic links and bind mounts

Create folders outside of the container by manipulating symbolic links in
conjunction with the –nv option or by bypassing check_mounted function
with relative symlinks

Bypass the enable overlay = no option in the singularity.conf
configuration file by setting an environment variable

Implemented enhancements

Restore docker-extract aufs whiteout handling that implements correct
extraction of docker container layers. This adds libarchive-devel as a
build time dep. At runtime libarchive is needed for whiteout handling. If
libarchive is not available at runtime will fall back to previous
extraction method.

Changed behavior of SINGULARITYENV_PATH to overwrite container PATH and
added SINGULARITYENV_PREPEND_PATH and SINGULARITYENV_APPEND_PATH for users
wanting to prepend or append to the container PATH at runtime

Bug fixes

Support pulls from the NVIDIA cloud docker registry (fix by Justin Riley,
Harvard)

Close socket file descriptors in fd_cleanup

Fix conflict between –nv and –contain options

Throw errors at build and runtime if NO_NEW_PRIVS is not present and working